Time estimates for NAC / 802.1x auth in an EXOS environment

  • 1
  • 1
  • Question
  • Updated 3 days ago
  • (Edited)
Looking to implement 802.1x (wired) for a client having a need to more strictly control access to ports in common areas such as conference rooms, cubicle farms, etc. Have never done this in a wired environment (using all EXOS, mostly 440G2, 460, 670) and I'm wondering how much effort is involved in deploying NAC, configuring all of the switches (about 16 - 10 of those are stacks), etc. Goal is to have authenticated access grant connections to the private LAN, otherwise assign a port to the guest network delivering only Internet access. There are about 400 users in this environment. Wireless is currently providing only guest access, so we're not tackling that in this project. Any suggestions, best practices, experiences? Is this a lot of work?

Add-on question: Does anyone know if RSA SecureID can be used as the authentication source for 802.1x auth requests? This client has a fully deployed RSA environment for remote access and rather than deploy another authentication mechanism, I'm thinking it makes sense to use what they already have (given that it's two factor as well). Thoughts?
Photo of Eric Burke

Eric Burke

  • 3,500 Points 3k badge 2x thumb

Posted 6 days ago

  • 1
  • 1
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,734 Points 5k badge 2x thumb
Hello,

From a configuration perspective it isn't a large amount of work.

Policy will push out policy configurations and enable global and port based authentications with a a few clicks of the mouse. Once NAC is installed it can configure RADIUS configurations on the switches with a few clicks of the mouse as well.

The difficulty that  comes with these types of deployments often depends on how exactly you want the environment to operate. 

Policy considerations: It sounds like you could configure the default role on the port to be inside the guest VLAN, you can configure the "Guest" role in policy to be a "Contain to VLAN" and deny access to internal subnets, or you could just prevent access to internal subnets and manually configure the egress on the port. 

You could then create an "Authorized" role configured in policy that would "Contain to VLAN" to the authorized VLAN. 

Extreme Control considerations: If the above is all you want for behavior you would need to create a minimum amount of rules, essentially just a "If 802.1x then 'Authorized'" role, with the default catch all providing "Guest" access. 

Will all devices that are "Authorized" be part of a group policy domain? Certificates are a consideration here as well. Microsoft wants to validate certificates by default so you'd need to either push certificates to the devices or purchase a certificate signed by a commercial entity to  bypass certificate trust errors on connection.

Enable global/port based authentication for 802.1x and MAC authentication. Authorized users would pass 802.1x authentication and be provided "Authorized" while other devices would be captured under the MAC authentication default catch all to be provided "Guest".

NAC deployment itself is very easy, spin up the appliance and give it an IP address and tell it where XMC is located and that's about it for initial deployment. 

IMO the problem with these deployments is that unless you're very familiar with the product configuration can be complicated. The goals I believe that would be a good start: 

Define required client behavior from the NAC rules engine perspective (Which end system gets which role). Spin up NAC, added to XMC and configure NAC rules accordingly.

Define required policy roles/rules to fill out the different NAC states from step 1 (Eg. Guest role has access to which vlan/resources, Authorized role has access to which vlan/resources). Configure policy roles/rules accordingly.

Define 802.1x supplicant configuration/requirements. EAP-PEAP or EAP TLS? Internally signed certificate for PEAP? GPO to distribute root CA certificate? Minimum required configuration would be to not validate certificate as the NAC comes with a canned self signed one that Windows cannot validate.

Define test stack for testing and validation. 

Add switch into NAC "Switches" tab and enforce to push RADIUS global configurations

Add switch into policy manager domain and enforce to configure global Policy configurations

Use policy to enable 802.1x and MAC authentication from a global/port perspective to enable the solution.


The solution should operate conceptually in the following manner: 

1. Client plugs into switch port.

2. MAC and 802.1x start, MAC usually completes first, 802.1x completes after if supplicant is configured for authentication.

3. NAC receives authentication request for MAC and provides "Guest" role. NAC completes authentication for 802.1x and provides "Authorized" role in the RADIUS accept back to the switch. 

4. 802.1x authentication result will take precedence resulting in the "Authorized" role to be used for the end system session.

5. Switch local configuration for "Authorized" policy will be used to control traffic for the authenticated end system.

If no 802.1x is performed the MAC authentication result of "Guest" will be used on the port.


Professional services could probably get a skeleton config up on test stack just to proof it in about a day or two. This is just my estimate though....

I'm not sure about the followup question. I don't believe I've encountered a 2 factor authentication code that is used as the source for 802.1x. 

Thanks
-Ryan



Photo of Eric Burke

Eric Burke

  • 3,418 Points 3k badge 2x thumb
Ryan... First off, thanks for the really detailed response! This is exactly what I was looking for and for the most part it all makes sense. The only thing I'm not 100% sure I understand is why use MAC at all? Windows 10 allows the saving of credentials in the network authorization settings. Since these credentials are AD based, even if they're saved - disabling the account in AD should stop the device from passing the 802.1x auth. If a user brings a laptop into the conference room, it would most likely not have 802.1x enabled (especially if it's a home machine). Perhaps this is where the problem lies? Would the lack of a supplicant simply cause a port lockout and never pass traffic? As I understand it, the switch port will only accept and proxy the ethertype associated with 802.1x (packaging the auth into IP for forwarding to NAC) until this succeeds. If that's the case, how does the MAC play a role in this? Is it simply allow "any" mac, but if 802.1x is provided on top of it, put it into the authorized network? Not sure I understand how that happens logistically. 

Eric
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,734 Points 5k badge 2x thumb
Hello Eric,

You are correct in that you do not need to have MAC authentication enabled. You can rely on the default policy assigned to the port to provide a "Guest" role in an authentication optional configuration. 

Auth Optional should allow the device to connect using the default policy on the port if authentication was not successful. Auth Required will require authentication on the port to occur. 

MAC authentication would give you to have more control of non-eap end systems if desired.

The NAC allows any mac addresses and NAC can provide elevated access based on MAC address. 

MAC authentication would also be required if you were looking for a captive portal for non-eap end systems.

Thanks
--Ryan